Ministry of Innovation —

Firefox 12 released with UAC-less update system on Windows

Mozilla has released Firefox 12. The new version of the open source Web …

Mozilla announced today the availability of Firefox 12, a new version of the popular open source Web browser. The release brings some minor incremental feature improvements, a number of fixes under the hood, and a significant change to the browser’s update system on Windows.

Ever since Mozilla transitioned Firefox to a shorter development cycle, the organization has been working to make browser updates less intrusive and more seamless. The eventual goal is to make updates completely silent, performing them in the background without user intervention.

Mozilla is reportedly on track to deliver silent updates in Firefox 13, the next major version. The Firefox developers have been working to implement some of the underlying technical changes that are needed to support the functionality. One of those changes, which is included in Firefox 12, is a new update system that will be used on Windows.

In order to make updates silent, Mozilla has to first find a way to avoid the intrusive User Access Control (UAC) prompt. The UAC dialog is shown during the update process because the updater needs elevated privileges in order to modify the Firefox program files on the filesystem. The dialog requires user intervention, which makes it an obstacle to seamless updates. The new updater in Firefox 12 on Windows no longer requires the UAC dialog.

There are a number of different approaches that software applications can use to avoid triggering the UAC dialog during updates. Google’s Chrome Web browser, for example, installs itself in the user’s home directory rather than a destination on the filesystem that would require elevated privileges to modify. Mozilla was reluctant to take that approach for various security reasons, and opted instead to build their updater on top of a service.

A “service” on Windows is a kind of headless background task. Mozilla’s new update service, which is called MozillaMaintenance, has a high enough privilege level to be able to modify the Firefox files without needing a UAC prompt. Mozilla used a special access control entry to configure it so that it can be initiated by unprivileged applications.

This means that the conventional Firefox updater can instruct the service to launch and perform an update without user intervention. When the MozillaMaintenance service is launched with a command to perform an update, it will perform the task and then terminate itself; the service itself doesn’t remain in the background when it’s not needed. In unusual cases where the service can’t be installed, the conventional UAC-dependent updater will continue to be used.

The update process in Firefox 12 is not yet fully invisible, but the UAC prompt is no longer displayed. As I stated earlier in the article, full support for invisible updates is likely going to arrive in the next version.

In addition to the improved updater, Firefox 12 also offers a handful of other changes. As we reported in our coverage of the Firefox 10 and 11 releases, Mozilla has been working on a comprehensive suite of built-in developer tools for the browser. Those features have now largely stabilized, but Mozilla did take the opportunity to add a touch of polish in version 12: the page source viewer now has line numbering in the gutter.

Other changes include performance fixes for WebGL on Mac OS X, experimental support for the ES6 Map and Set APIs, and support for starting a download by pasting a URL in the download manager window (a more comprehensive overhaul of the download interface is currently in progress and slated for a future release).

The Firefox 12 release is available for download from Mozilla’s website. It’s also being rolled out through the browser’s update service. For more details about the new version, you can refer to the release notes.

When popular pieces of software have to be engineered to bypass a major piece of the security infrastructure (UAC) in order to be user friendly, you know something is wrong with that design in the first place. Microsoft should just redesign UAC and make it suck less. Right now, UAC is useless because users are trained to press that allow button no matter what.

When popular pieces of software have to be engineered to bypass a major piece of the security infrastructure (UAC) in order to be user friendly, you know something is wrong with that design in the first place. Microsoft should just redesign UAC and make it suck less. Right now, UAC is useless because users are trained to press that allow button no matter what.

It has nothing to do with UAC not being user friendly (hint: It's extremely user friendly in Windows 7) it has to do with the fact the average user is an idiot won't ever fucking update their software.

It took me nearly 4 years to finally convince my mother that updates were GOOD. Until that point she refused to update anything on her old XP Desktop. Not the browser, not the OS updates - nothing. I'd have to come home over weekends and do it when she wasn't around.

Clicking a single button for the UAC update is not indicitive of being unfriendly to the user. It has to do with the fact that the user won't click it or will hit 'No' because it's an update. And god forbid they keep their system up to date...

My experience has been totally opposite. In an office environment with users that are less computer savvy than you'd hope, the UAC prompt rarely comes up in day-to-day use. So when it does come up, users call tech support, or simply say no!

Also, requiring software dev teams to properly develop apps for UAC is great! It's already rare for end users to need admin privileges once everything is installed. A sysadmin's dream is to not allow end users the ability to destroy their system, but still allow them to work, we're well down that road and getting closer every day!

When popular pieces of software have to be engineered to bypass a major piece of the security infrastructure (UAC) in order to be user friendly, you know something is wrong with that design in the first place. Microsoft should just redesign UAC and make it suck less. Right now, UAC is useless because users are trained to press that allow button no matter what.

Yeah it's not as if there was a working solution in place for doing regular updates that only needs the prompt once at the original install.. oh wait.

If Chrome is administratively installed it still silently updates. This is done by creating a scheduled task which is started both on a schedule and on demand to process updates. In both cases - service for Firefox, scheduled task for Chrome - the updater can run with administrative priveleges (usually as SYSTEM). The ACLs for both scheduled tasks and services are set to enable non administrative users to start them. So the whole thing is kind of analogous to SUID.

When popular pieces of software have to be engineered to bypass a major piece of the security infrastructure (UAC) in order to be user friendly, you know something is wrong with that design in the first place. Microsoft should just redesign UAC and make it suck less. Right now, UAC is useless because users are trained to press that allow button no matter what.

Well MS basically admitted to making the dialog annoying. This to force software suppliers to update how they did things.

When popular pieces of software have to be engineered to bypass a major piece of the security infrastructure (UAC) in order to be user friendly, you know something is wrong with that design in the first place. Microsoft should just redesign UAC and make it suck less. Right now, UAC is useless because users are trained to press that allow button no matter what.

I totally agree. Linux should remove su. I should never have to elevate myself to admin/root to modify system locations.

Easy fix, always run as admin/root.

Under Windows, Chrome installs to the user directory, which is the ~/ equivalent. Firefox installs to the Program Files, which is the /bin equivalent.

In otherwords, Mozilla is just going to give Firefox's update system system privilages. Yeah. That's a great idea. We should all run as Administrators and turn off UAC. Seriously, is it *that* much of a hassle to click 'ok'? If I had it my way everyone would be running with standard user privileges and would need to type out the administrator's password to do anything system-wide, that way they'd stop coming to me with crapware and viruses spewed all over the system.

In otherwords, Mozilla is just going to give Firefox's update system system privilages. Yeah. That's a great idea. We should all run as Administrators and turn off UAC. Seriously, is it *that* much of a hassle to click 'ok'? If I had it my way everyone would be running with standard user privileges and would need to type out the administrator's password to do anything system-wide, that way they'd stop coming to me with crapware and viruses spewed all over the system.

One problem right now is that non-admin users can't do the update at all. I run at home as a standard user and have an entirely separate admin account (what do you mean you aren't doing that as well?). And to update Firefox and Thunderbird I have to log out and log in as admin to update them. There is not even the possibility to elevate rights and to it.

In otherwords, Mozilla is just going to give Firefox's update system system privilages. Yeah. That's a great idea. We should all run as Administrators and turn off UAC. Seriously, is it *that* much of a hassle to click 'ok'? If I had it my way everyone would be running with standard user privileges and would need to type out the administrator's password to do anything system-wide, that way they'd stop coming to me with crapware and viruses spewed all over the system.

One problem right now is that non-admin users can't do the update at all. I run at home as a standard user and have an entirely separate admin account (what do you mean you aren't doing that as well?). And to update Firefox and Thunderbird I have to log out and log in as admin to update them. There is not even the possibility to elevate rights and to it.

Yes, and what if I don't want a resource using background task running just to update a web browser?

Even if it didn't terminate, eventually the process's memory would be swapped out and executable pages discarded due to copy on right assuming modern Windows or Linux as of ages ago. Free memory is wasted memory anyway.

One problem right now is that non-admin users can't do the update at all. I run at home as a standard user and have an entirely separate admin account (what do you mean you aren't doing that as well?). And to update Firefox and Thunderbird I have to log out and log in as admin to update them. There is not even the possibility to elevate rights and to it.

UAC doesn't pop up and ask for admin credentials or are you on XP?

No - I forget if the problem is that Firefox just doesn't try at all, or if it simply fails before it gets to UAC. But I'm on Windows 7 and I have the same problem.

In otherwords, Mozilla is just going to give Firefox's update system system privilages. Yeah. That's a great idea. We should all run as Administrators and turn off UAC. Seriously, is it *that* much of a hassle to click 'ok'? If I had it my way everyone would be running with standard user privileges and would need to type out the administrator's password to do anything system-wide, that way they'd stop coming to me with crapware and viruses spewed all over the system.

One problem right now is that non-admin users can't do the update at all. I run at home as a standard user and have an entirely separate admin account (what do you mean you aren't doing that as well?). And to update Firefox and Thunderbird I have to log out and log in as admin to update them. There is not even the possibility to elevate rights and to it.

UAC doesn't pop up and ask for admin credentials or are you on XP?

I have the same problem on my Vista laptop. No UAC, it just simply doesn't upgrade unless I force it to. I just installed 12 this morning (I was on 10 because the update to 11 didn't happen) and I'm hoping this will solve that problem.

UAC is a good thing (for instance, at the moment visual studio 11 beta is trying to complete installation every time I reboot Windows -- because of UAC I know it's happening. Of course I've no idea how to fix it, but that's another problem).

No - I forget if the problem is that Firefox just doesn't try at all, or if it simply fails before it gets to UAC. But I'm on Windows 7 and I have the same problem.

The problem is that your account is not an administrator AND you do not understand UAC. Being an administrator in Windows 7 means that anytime you do anything requiring administrator rights, you are asked. This even happens if you ARE 'administrator'. So you still have to make conscious decisions, but you don't have to log out and close all your applications just to install a patch to an application that is running nearly 24/7. Doing it your way or the UAC way has no effective difference in security, but one way is a huge hassle.

> Mozilla is reportedly on track to deliver silent updates in Firefox 13, the next major version.

Neat, so when is Firefox 13 due to be released? ... oh, I see. In the time it took me to ask this question, it seems we're already up to Firefox 15. Fantastic

Please, remind me in two and a half hours to laugh... Now excuse me, I've headache and I'm unable to.

Rkone wrote:

My experience has been totally opposite. In an office environment with users that are less computer savvy than you'd hope, the UAC prompt rarely comes up in day-to-day use. So when it does come up, users call tech support, or simply say no!

Mozilla’s new update service, which is called MozillaMaintenance, has a high enough privilege level to be able to modify the Firefox files without needing a UAC prompt. Mozilla used a special access control entry to configure it so that it can be initiated by unprivileged applications.

I'd like to know what they've done to secure this service and ensure that a) only Firefox can access it and b) it only pulls updates from authorized sources. The last thing we need is another high-access service floating around in the background

Not mentioned in the article, but as expected, Mozilla Thunderbird has also been updated to 12. I don't know if it includes the update changes or not. Perhaps Ars could check and update the article, if appropriate? I know the rendering engines track, not so sure about various other functions that might also share code. (Update mechanisms and procedures would seem prime for that, IMO.)

Any reports of any common A/V suites, particularly those with software firewalls, blocking the new update procedures for any reason? Oddly, my A/V suite seems to have blocked the Thunderbird update, but not the FF update. But it may have been a complete coincidence, with something temporary and entirely unrelated as the root cause. I only know that the TB update from 11.something-non-zero to 12 failed twice (by way of the About method, not a manual download), but then worked when I temporarily disabled Kaspersky 2012. Just something for admins to keep in mind, I guess. I can't imagine they changed comm ports or anything, but who knows?

Seems to me that a better way could be worked out to allow for updates without having to go around the UAC. Even having some sort of safe program list that the end user could add a program too that would not trigger a UAC prompt every time that program updates. Obviously this is more Microsoft trying to lock you in to Internet Explorer. But to play devils advocate, I do not see the big deal over this. I could care less if I have to restart Firefox to update or have it do it automatically. Does it matter? No. I just wish Firefox would stop the frequent updates all together, automatic or not.

I've heard lots of "rumblings" that this approach to bypassing UAC could become a malware vector, but I'm not knowledgeable enough to be able to determine if these are valid concerns or just random angry internet FUD. I was hoping Ars would address this. Is this likely to be a security risk? Is this "a bad idea" on their part?

Seems to me that a better way could be worked out to allow for updates without having to go around the UAC. Even having some sort of safe program list that the end user could add a program too that would not trigger a UAC prompt every time that program updates. Obviously this is more Microsoft trying to lock you in to Internet Explorer. But to play devils advocate, I do not see the big deal over this. I could care less if I have to restart Firefox to update or have it do it automatically. Does it matter? No. I just wish Firefox would stop the frequent updates all together, automatic or not.

Yeah, just an evil Microsoft plot, because MS never ask for privileges to update IE... wait?

I've heard lots of "rumblings" that this approach to bypassing UAC could become a malware vector, but I'm not knowledgeable enough to be able to determine if these are valid concerns or just random angry internet FUD. I was hoping Ars would address this. Is this likely to be a security risk? Is this "a bad idea" on their part?

This is not really "bypassing" UAC, in fact, it's pretty much what UAC was trying to accomplish: Mozilla devs have now separated the logic into two parts: those that require system privileges and those that don't.

There is a potential risk if the service is not appropriately hardened, but there are a few ways to reduce the risk. One of the best ways would be for the elevated service to be as small as possible, and responsible for nothing more than installing an update that was downloaded by a lower privilege process (say, the browser process), after verifying that the file is trusted (say, by verifying that it is signed by Mozilla).

Seems to me that a better way could be worked out to allow for updates without having to go around the UAC. Even having some sort of safe program list that the end user could add a program too that would not trigger a UAC prompt every time that program updates. Obviously this is more Microsoft trying to lock you in to Internet Explorer. But to play devils advocate, I do not see the big deal over this. I could care less if I have to restart Firefox to update or have it do it automatically. Does it matter? No. I just wish Firefox would stop the frequent updates all together, automatic or not.

Seems to me that a better way could be worked out to allow for updates without having to go around the UAC. Even having some sort of safe program list that the end user could add a program too that would not trigger a UAC prompt every time that program updates. Obviously this is more Microsoft trying to lock you in to Internet Explorer. But to play devils advocate, I do not see the big deal over this. I could care less if I have to restart Firefox to update or have it do it automatically. Does it matter? No. I just wish Firefox would stop the frequent updates all together, automatic or not.

This is not really "bypassing" UAC, in fact, it's pretty much what UAC was trying to accomplish: Mozilla devs have now separated the logic into two parts: those that require system privileges and those that don't.

There is a potential risk if the service is not appropriately hardened, but there are a few ways to reduce the risk. One of the best ways would be for the elevated service to be as small as possible, and responsible for nothing more than installing an update that was downloaded by a lower privilege process (say, the browser process), after verifying that the file is trusted (say, by verifying that it is signed by Mozilla).

Exactly. All the security concerns about this process existed before as well. The biggest difference is, that now we don't have to worry about the million of possible other bugs in the firefox codebase that could somehow be used to exploit it.

Well written *nix programs have been doing separation of concerns for more than a decade now..

Seraphiel wrote:

I'd like to know what they've done to secure this service and ensure that a) only Firefox can access it and b) it only pulls updates from authorized sources. The last thing we need is another high-access service floating around in the background

So you're *now* worried about that, but never questioned and informed yourself how FF did it before that? Well better late than never I assume.